Skip to content

Documentation / Knowledge Base

Enclave shows "Illegal instruction" or the daemon fails to start on ARM64 Linux

Symptoms

After installing Enclave on a supported Linux distribution (Ubuntu 22.04+, Debian 12+, etc), one or more of the following occurs:

enclave: Illegal instruction

Or:

sudo systemctl start enclave
enclave.service: Main process exited, code=killed, status=4/ILL

Or the service runs but profiles never start and dnsmasq errors appear in the journal.

Cause

There are two independent issues that can prevent Enclave from running correctly on ARM64 Linux systems.

Illegal instruction (SIGILL)

The Enclave binary runs on the .NET 10 runtime, which performs runtime CPU feature detection and JIT-generates small native stubs into executable memory (memfd mappings). On ARM64 systems with older ARMv8.0 cores (such as the Cortex-A53 found in the Raspberry Pi 3 and 4), the runtime incorrectly enables hardware intrinsics that require newer ARM extensions — for example, newer atomic, crypto, or SIMD instructions. The generated stub contains opcodes the CPU cannot execute; the kernel traps this as SIGILL ("Illegal instruction") and the process is killed.

Setting DOTNET_EnableHWIntrinsic=0 disables these intrinsics and forces the JIT to emit only baseline ARMv8.0 instructions, which all ARM64 cores can execute.

dnsmasq service control failure

The Enclave daemon manages DNS by executing dnsmasq restart to cycle the local resolver. However, dnsmasq is a daemon binary rather than a service wrapper — it does not accept lifecycle verbs like restart as arguments. On systemd-based distributions, dnsmasq restart is treated as an invalid invocation and exits immediately. This prevents the Enclave supervisor from bringing profiles online, even when the main process itself is running.

Providing a wrapper script at a higher-priority path that redirects lifecycle verbs (start, stop, restart, etc.) to systemctl aligns the daemon's assumptions with how Linux actually manages services.

Resolution

Apply the following steps once per system.

1. Disable .NET hardware intrinsics globally

Create a system-wide environment variable:

echo DOTNET_EnableHWIntrinsic=0 | sudo tee -a /etc/environment

Allow sudo to preserve the variable:

sudo visudo

Add:

Defaults env_keep += "DOTNET_EnableHWIntrinsic"

2. Add the runtime flag to the Enclave service

Create a systemd override:

sudo systemctl edit enclave

Add:

[Service]
Environment=DOTNET_EnableHWIntrinsic=0
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Reload systemd:

sudo systemctl daemon-reload

3. Fix dnsmasq service control

Install a compatibility wrapper that translates dnsmasq restart into the correct systemd command:

sudo tee /usr/local/sbin/dnsmasq >/dev/null <<'EOF'
#!/bin/sh
case "$1" in
  start|stop|restart|reload|status)
    exec systemctl "$1" dnsmasq
    ;;
  *)
    exec /usr/sbin/dnsmasq "$@"
    ;;
esac
EOF

sudo chmod +x /usr/local/sbin/dnsmasq

Ensure dnsmasq is installed and enabled:

sudo apt-get install -y dnsmasq
sudo systemctl enable --now dnsmasq

4. Restart the Enclave daemon

sudo systemctl restart enclave

Verify:

enclave version
enclave status
sudo systemctl status enclave

Enclave should now operate normally via CLI, sudo, and the background daemon.

Having problems? Contact us at support@enclave.io or get help and advice in our community support channels.

Published February 2026